Safelock: biometric typing security

We’ve seen some ways to bypass biometric security measures but here’s a new offering that we think will be hard to fool. The Safelock system is used in conjunction with a password to identify a specific user. This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.

The icing on the cake is that Safelock will look for malicious users. If you enter the wrong password, it will begin to record and analyze your typing style. If you make enough incorrect attempts you will be labeled as a security threat and locked out of the system altogether. We can only think of one reliable way to circumvent this and that’s using a man-in-the-middle method of recording the keyboard inputs of the legitimate user for playback later.

This is an innovative user identification system and we’re not the only ones that think so. [Jeff Allen] and [John Howard], students at SMU won first prize for the Student Innovation Contest at the 2009 User Interface Software and Technology Symposium.

33 thoughts on “Safelock: biometric typing security”

Very interesting idea, though it requires a special pressure sensitive keyboard to work to it’s full potential. Obviously they could do the key press timing and hold times with a regular board, but I suppose it would lose a lot of accuracy without the hold pressure data.

It also seems like the effectiveness of this system is directly proportional to the length and complexity of the password; there is only so much timing data that could be extrapolated from a 4 letter password. That, and I am not sure how much I like the idea of being denied access to the system even if I typed in the correct password, even though they say the system is 96% accurate, I KNOW there are some times I am not typing the same way as I usually do for whatever reason.

Unfortunately, that method doesn’t travel well. People type different at different keyboards, different typing positions (sitting, standing up, one handed, etc). So all you get is a security system that locks out it’s own users. Not all that useful (we tried a system like this in a mid-size hospital). Two factor authentication (i.e. password PLUS swipe card) is still the easiest and most effective/secure method – at least for environments where people move about and use multiple different platforms.

I can attest to what MS3FGX said; I’m typing one-handed after breaking three fingers, and my typing style is different. Not only did it change after the accident, it’s changed nearly every day as I get used to touch-typing this way. As a sysadmin, getting locked out because of hunt-and-pecking the password is not a good thing.

I thought of this a year or two ago and started to program it. But I told my older brother about it and he told me that it was pointless because someone would of done it by then(I actually listen to my brothers sometimes) and so I stopped programming it.(Like I would of even got close) lol

Breaking/losing a finger would likely be problematic, yes. Thankfully, that seems to be an extraordinary situation – a sysadmin could likely turn off some of the timing in such an event?

@Jesse / @Skyler: The algorithm is adaptive; it will be slightly tuned with every successful login. As you get more comfortable typing a password (which surely happens the longer you’ve had the password), your typing “signature” grows with you.

This is just as weak as any other password-based system. How are most passwords stolen? Viruses. What can a virus do once it gets on your system? Anything it wants, including recording the time/pressure data as you enter the password into your online banking site, which the evil botnet overlord can then replay from his evil lair at his leisure.

This was a system described in detail in the beginning of the book ‘Prey’ by Michael Crichton(an excellent read, dealing in high-tech and proverbial grey-goo). It’s not a new concept, and it’s not accurate by any means. My typing style changes quite often based on my mood, the time of day, and how lazy I’m feeling. This will never be a viable biometric verification.

I’ve seen (unpublished, unfortunately) results showing how ineffective this is, and the short of it is that there’s a reason that biopassword/AdmitOne and ID Control BV have not got noticeable market shares. Keystroke metrics are either so loose that they prevent almost nothing or are so tight that the intended user can’t get access, and anything in the middle lets too much in while still often rejecting the real deal.

Why is this useful? How is it more secure than just using a password? Someone using a keylogger can log the timing data and play it back almost as easily as a normal password.

Plus it’s much more inconvenient for the legitimate user, forcing them to type the password the same way every time. Sometimes I log in with one hand while doing something else, and often if I make a mistake in my password I want to type it more carefully on the second attempt rather than getting locked out. This system stops me from doing that.

I think that biometric systems have a lot of room for improvement. Two factor systems are simple, but they still have the same fundamental flaw of not identifying a user based on an unique trait which cannot be mimicked.

A better authentication system could be one based on facial expressions. Something like a randomized series of facial expressions that the user must recreate could be a better solution. Muscle control and facial structure is relatively unique. Short of bashing up your face or getting plastic surgery, both of which are events significant enough for the user to know a change in their password is necessary, you shouldn’t have problems with failed authentication in.

Interesting idea… I’d like to know the stats on how much false negatives you experience with this thing. I can imagine people getting pissed off pretty quickly if it rejects you for minor things like a slight change of typing habit, posture, etc.

This would be fine as a confidence test; As a transparent layer of security that would be useful mainly in log files to see if more than one person has been logging in with a single account.

Take a user being given a domain credential that is meant only for that person, yet the person distributes his login to a few other people in the office. You would likely start seeing trends where everyone would have distinct ways of logging in and you could assess how many people have been using it and more importantly when. Maybe person X shows up as using the login more than person Y.

Like the polygraph, it would probably not be admissible in court but with creative implimentation it could be used in data mining.

As others have said, this has been out for quite a while. The ones I’ve seen recently factor in other markers, such as known IP addresses and time-of-day data, to minimize some of the issues discussed. Type differently before that first cup of coffee? The system understands and corrects for that. Static IP address? Bump up the confidence level. All factors match except one? Lower the confidence, but allow limited access.

It’s still not perfect, but with adequate tuning, it could be “good enough”…

Drug users will not be able to use this system as most of the ‘good drugs’ cause changes in cognition that affect typing speed / key pressure / ‘clumping’ of keys typed.

Also musicians will have issues as well — when you play your instrument you activate all sorts of kinesthetic pathways in the brain. most of them stay active when you move to your computer and start typing right afterward. anyone who’s played a guitar and then responded to e-mail has noticed this.

@Jeff: Great, I’ll remember to deactivate the pressure and timing check before I go and break my hand.

Timing attacks like this are easy to beat anyway, as you only need an audio or video recording of the password being typed, or even just listen to the cadence whilst shoulder surfing, and you are then double authenticated.

Plus, when you get the password wrong the second time, you change your typing for the 3rd go, to be certain you haven’t left caps lock on and to avoid the time-out penalty. This would *ensure* you never got in!